Analysis of Passwords Dumped from LinkedIn

I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal.

I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal. Here are some of the more interesting results:

Password length (length ordered)

  1. 6 = 281193 (20.75%)
  2. 7 = 211946 (15.64%)
  3. 8 = 444338 (32.79%)

From this portion of cracked passwords, on average 8 character passwords were the most commonly used. 444,338 users chose passwords that were 8 characters long.

In fact, a whopping 69% of the passwords that were cracked were 8 characters, or less…

30% of the cracked passwords only used lowercase letters. While 45% of the passwords contained just lowercase letters and numbers. And from the statistics, it looks like almost all of these were in the format of lowercase letters followed by one or more numbers, with the numbers always being at the end.

Overall, only 1% of the users used passwords that were made up of mixed case letters, numbers and symbols…

And according to an article on Arstechnica, all of the normal bad passwords were present, including:

  • 123456
  • 1234567
  • 12345678
  • password
  • strongpassword
  • And of course, linkedin

People put a lot of personal information out on LinkedIn. Many do so in looking for a new job or business opportunities. Users post their education and job experience along with the groups that they belong to. A treasure trove of information to Social Engineers. It would seem that of all the online social sites, users would really choose a long complex password to secure their account on LinkedIn.

But as every one of the top bad passwords of 2011 were found in the dump it truly makes one wonder – What in the world is people’s fascination with the password “monkey”???

LinkedIn Passwords Stolen and Posted Online

Numerous security sites are abuzz about an estimated 6.5 million LinkedIn passwords that have allegedly been stolen. According to reports about 300,000 have been cracked and were posted in clear text on Russian forums.

Earlier today, LinkedIn confirmed in a blog post that some of the passwords did in-fact correspond to LinkedIn accounts. They also provided information on how they are handling the data breach:

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

LinkedIn is continuing to investigate the breach, until then, the best bet is to immediately change your password. LinkedIn’s recommendations for strong passwords can be found here.

Hackers Targeting Social Media Sites for Social Engineering Attacks

Hackers using Social Engineering attacks are getting much better at their craft, and people are making it very easy for them. A Social Engineer will use information gathered about a person, place or business in specially crafted attacks that play on people’s thoughts, beliefs or emotions.

But how do they get personal information that they could use against someone?

Drum roll please…

Social Media sites!

“No way”, you say, “I only give friends, colleagues and people I know access to my Facebook page.” Do you really? I mean come on, let’s be honest. We have all seen them, people with 500, 1000, even 2000 people or more on their friends list. Do they really know all those people?

People are human, and humans are always into popularity contests. It reminds me of the TV commercial where the daughter is sitting in front of her computer with hundreds of friends on her social media site. And she is making fun of her parents who have like 5 on their site, but then it shows the parents out kayaking (or something like that) with friends.

Hackers are using this very weakness of the human psyche to gain pertinent and sometimes very personal information about a person. But how you ask?

How about Linked-In? Do you get friend requests from people you have never heard of that “know you” from some website, have similar likes or dislikes, or attended the same conference? Hackers are gaining full technical backgrounds, co-worker names, titles and even full resumes using this very simple tactic.

It also works on Facebook. Except here, social engineers gain personal information about you. Everything from news about your family, your interests (sports, clubs, etc), heck some even go as far as to tell you their travel plans and even food preferences. Sometimes a lucky hacker will even get the daily itinerary of a very trusting individual.

How could they leverage this information in an attack?

Simple, from Linked-In they could craft an e-mail saying they are from some company that you worked with or for. Or from Facebook, that they are from your kid’s school or from one of the many clubs that you attend and have scheduling or other important “news”. All this in an attempt to get you to click on a link that heads to a malware infested site or to get you to run a PDF file that contains a backdoor trojan.

A friend recently received an e-mail supposedly from the technical support department for a product that he actually owned. It was about an important update and the link for the update led to a site that tried several browser exploits in attempts to install remote access malware. It was very believable, luckily the broken English in the e-mail made him think twice before he visited the site.

How do you protect yourself from these types of attacks?

It is always best to actually know or have met the person that you are allowing into your social media circles. Limit the level of personal information that you place on these sites. And be very careful telling people your schedules. Do your 2000+ friends really need to know that you will be out of the country for 2 weeks and what airline you will use and what hotel you will be staying at?

Just some things to think about. Hackers are getting much better using Social Engineering attacks. A little discretion will go a long way.